Re: Laptop - Full Disk Encryption? (Booting defeats FDE)

---

• From: "Tim A." <security-basics@xxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 06 Dec 2007 14:23:00 -0500

---

Yes, but disk encryption is not about intrusion prevention. That's a separate issue.

If you were running an OS on an encrypted disk, the encrypted disk does not make the processes of the OS any more secure than if the disk were not encrypted. The OSs vulnerabilities are still vulnerable, the disk encryption does not help in that regard. If a user is compromised the consequences are the same, almost.

Disk encryption is more about mitigation. Just dismount the volume and capture is moot to the guest, other than being offline (obviously). It's data is safe, or at least all the data that was not yet captured before the plug was pulled.

I'm thinking of it more as a computer with a BIOS password that cannot be blanked out, locked in a room that when the door is closed cannot be opened except by the owner. It's still a computer, and while the door is open and the computer is on it's still vulnerable and always will be.

Not saying it's perfect. Nothing is.
Just an idea.

Ansgar -59cobalt- Wiechers wrote:

On 2007-12-06 Tim A. wrote:

Here's a crazy idea:

Run a Virtual Machine inside a TrueCrypt volume.
The VM cannot even be opened until the TrueCrypt volume is mounted.
*Everything* is encrypted, paging file / swap file, OS and User right down to your CMOS and boot blocks.

How will it preform? Good question. Give it a shot.

Performance issues aside, an attacker will still be able to manipulate
the host operating system, which in turn will be able to manipulate the
guest operating system once the VM is started. Virtual Machines are
designed to protect the host OS from the guest OS, *not* vice versa.

Regards
Ansgar Wiechers

---

• Follow-Ups:
  • Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
    • From: Ansgar -59cobalt- Wiechers

• References:
  • Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
    • From: Tim A.
  • Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
    • From: Ansgar -59cobalt- Wiechers

• Prev by Date: Laptop-threat model
• Next by Date: Getting security back from the sys admin
• Previous by thread: Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
• Next by thread: Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Whole disk encryption ... Subject: Whole disk encryption ... HR stations, Accountant pc's, CxO laptops, etc. ... IF you want security, do full disk. ... (Focus-Microsoft) Re: The ugly side of using disk encryption ... The Full/Whole disk encryption solutions certainly add major overhead. ... Norwich University ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... (Security-Basics) Friday Futures ... PGP To Offer Whole Disk OS X Encryption ... its whole disk encryption software for OS X in the near future. ... multimedia support for a 5 megapixal camera ... (comp.sys.mac.misc) RE: Whole disk encryption ... completely sold on the whole-disk encryption idea, ... Subject: Whole disk encryption ... IF you want security, do full disk. ... (Focus-Microsoft) [Full-disclosure] TPM Vulnerabilities for SALE !!!! ... we are offering TPM (Trusted Platform Module) vulnerabilities for sale for the highest bidder. ... This chip is used to secure data in encryption systems such as Microsoft's Bitlocker, ... Vulnerabilities lead to complete RECOVERY of encrypted data. ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2007-12